"Protection System" Fake AntiVirus
» If you can't view the screen shot, you may have to click the screen shot when you put the mouse over the it.
» Dependant upon your browser settings.
This sleek program is another to watch out for. So be don't be tricked.
It appears that the client was browsing bebo.com and facebook.com, when their browser was hijacked and redirected to
another site. The page then began installing this program.
Below are entries found in the Registry(If you are unfamiliar with the registry...Leave this page NOW)
and files associated with the program.
View more images
Key Name:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32
- Value 0
Name:
Type: REG_SZ
Data: C:\Program Files\Protection System\CoreExt.dll
Key Name:
HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\SimpleShlExt
- Value 0
Name:
Type: REG_SZ
Data: {5E2121EE-0300-11D4-8D3B-444553540000}
Key Name:
HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\SimpleShlExt
- Value 0
Name:
Type: REG_SZ
Data: {5E2121EE-0300-11D4-8D3B-444553540000}
Key Name:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
- Value 0
Name:
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Protection System extension"
Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value 14
Name: braviax
Type: REG_SZ
Data: braviax.exe
Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Protection System
- Value 0
Name: Settings_0
Type: REG_DWORD
Data: 0x0
- Value 1
Name: SecStatus_3
Type: REG_DWORD
Data: 0x1
- Value 2
Name: SecStatus_4
Type: REG_DWORD
Data: 0x1
- Value 3
Name: SecStatus_5
Type: REG_DWORD
Data: 0x1
- Value 4
Name: FD
Type: REG_DWORD
Data: 0x0
- Value 5
Name: GUID
Type: REG_SZ
Data: 554784455547837555478305
- Value 6
Name: Data
Type: REG_SZ
Data: :2070:2215:2505:2650:2795:2940:3085:3230:3375:
- Value 7
Name: swver
Type: REG_SZ
Data: 1.0
- Value 8
Name: dbver
Type: REG_SZ
Data: 1.0
- Value 9
Name: dbsigns
Type: REG_SZ
Data: 61473
- Value 10
Name: InfectedFiles
Type: REG_SZ
Data: C:\WINDOWS\System32\mll_qic.dll,C:\WINDOWS\System32\msrepl40.dll,C:\WINDOWS\System32\olecli.dll,C:\WINDOWS\System32\rasser.dll,C:\WINDOWS\System32\shimeng.dll,C:\WINDOWS\System32\tsddd.dll,C:\WINDOWS\System32\wiashext.dll,C:\WINDOWS\System32\wucltui.dll,C:\WINDOWS\System32\Wbem\wbemcore.dll,C:\WINDOWS\xazyzeco.dll,C:\WINDOWS\Help\dkconcepts.chm,C:\WINDOWS\Help\windows.chm,C:\WINDOWS\Fonts\FRUTSI_C.TTF,C:\WINDOWS\Fonts\vga863.fon,C:\WINDOWS\System32\bidispl.dll,C:\WINDOWS\System32\c_10017.nls,C:\WINDOWS\System32\dplay.dll,C:\WINDOWS\System32\fxsst.dll,C:\WINDOWS\wmsetup10.log,C:\WINDOWS\Help\dijoy.hlp,C:\WINDOWS\Help\wbemtest.chm,C:\WINDOWS\Fonts\FRUTSB_A.TTF,C:\WINDOWS\Fonts\vga850.fon,C:\WINDOWS\System32\bcbsmp50.bpl,C:\WINDOWS\System32\c_037.nls,C:\WINDOWS\System32\docprop.dll,C:\WINDOWS\System32\fxsperf.dll,C:\WINDOWS\WMFDist11.log,C:\WINDOWS\Help\dialer.chm,C:\WINDOWS\Help\verifier.hlp,C:\WINDOWS\Fonts\Framdcn.TTF,C:\WINDOWS\Fonts\verdanaz.ttf,C:\WINDOWS\System32\batmeter.dll,C:\WINDOWS\System32\ctl3dv2.dll,C:\WINDOWS\System32\dnsapi.dll,C:\WINDOWS\System32\fxsevent.dll,C:\WINDOWS\WindowsUpdate.log,C:\WINDOWS\Help\ddeshare.chm,C:\WINDOWS\Help\twclient.chm,C:\WINDOWS\Fonts\frabk.ttf,C:\WINDOWS\Fonts\trebuc.ttf,C:\WINDOWS\System32\avicap.dll,C:\WINDOWS\System32\cscdll.dll,C:\WINDOWS\System32\dmremote.exe,C:\WINDOWS\System32\fxscfgwz.dll,C:\WINDOWS\smscfg.ini,C:\WINDOWS\Help\certmgr.hlp,C:\WINDOWS\Help\sounds.chm,C:\WINDOWS\Fonts\courfr.fon,C:\WINDOWS\Fonts\smallfe.fon,C:\WINDOWS\System32\ansi.sys,C:\WINDOWS\System32\compobj.dll,C:\WINDOWS\System32\dhcpmon.dll,C:\WINDOWS\System32\filemgmt.dll,C:\WINDOWS\QUICKEN.INI,C:\WINDOWS\Help\agt0415.hlp,C:\WINDOWS\Help\rsm.chm,C:\WINDOWS\Fonts\cga40woa.fon,C:\WINDOWS\Fonts\Rockeb.TTF,C:\WINDOWS\System32\accwiz.exe,C:\WINDOWS\System32\cmos.ram,C:\WINDOWS\System32\debug.exe,C:\WINDOWS\System32\eventvwr.msc,C:\WINDOWS\orun32.ini,C:\WINDOWS\Help\agt0405.hlp,C:\WINDOWS\Help\qosconcepts.chm,C:\WINDOWS\Fonts\BOOKOSBI.TTF,C:\WINDOWS\Fonts\Per_____.TTF,C:\WINDOWS\System\WFWNET.DRV,C:\WINDOWS\System32\cliconfg.rll,C:\WINDOWS\System32\dbmsrpcn.dll,C:\WINDOWS\System32\esent.dll,C:\WINDOWS\NSSetDefaultBrowser.ini,C:\WINDOWS\Help\access.chm,C:\WINDOWS\Help\phowto.chm,C:\WINDOWS\Fonts\ArialN.TTF,C:\WINDOWS\Fonts\OUTLOOK.TTF,C:\WINDOWS\System\setup.inf,C:\WINDOWS\System32\cisvc.exe,C:\WINDOWS\System32\d3drm.dll,C:\WINDOWS\System32\edlin.exe,C:\WINDOWS\KB971557.log,C:\WINDOWS\Media\Windows XP Default.wav,C:\WINDOWS\Help\nvwcpno.hlp,C:\WINDOWS\Fonts\8514sys.fon,C:\WINDOWS\Fonts\Lsansi.TTF,C:\WINDOWS\Tasks\SA.DAT,C:\WINDOWS\System32\cdfview.dll,C:\WINDOWS\System32\c_855.nls,C:\WINDOWS\System32\dsprop.dll,C:\WINDOWS\KB969897-IE7.log,C:\WINDOWS\Media\Windows XP Balloon.wav,C:\WINDOWS\Help\nvwcpja.hlp,C:\WINDOWS\Fonts\8514oeme.fon,C:\WINDOWS\Fonts\latha.ttf,C:\WINDOWS\Fonts\wst_swed.fon,C:\WINDOWS\System32\catsrvut.dll,C:\WINDOWS\System32\c_737.nls,C:\WINDOWS\System32\dskquoui.dll,C:\WINDOWS\KB961501.log,C:\WINDOWS\Media\Windows Feed Discovered.wav,C:\WINDOWS\Help\nvwcpfr.hlp,C:\WINDOWS\Fonts\8514fixg.fon,C:\WINDOWS\Fonts\ITCKrist.TTF,C:\WINDOWS\Fonts\wst_fren.fon,C:\WINDOWS\System32\capicom.dll,C:\WINDOWS\System32\c_28603.nls,C:\WINDOWS\System32\dsauth.dll,
- Value 11
Name: LastScan
Type: REG_DWORD
Data: ******
- Value 12
Name: Infected
Type: REG_DWORD
Data: 0x34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of files you may find in the:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"C:\program files\protection system" Folder
Size
Name
- 2,005,140 bytes » blacklist.cga
- 3,478,520 bytes » core.cga
- 44,032 bytes » coreext.dll
- 49,152 bytes » firewall.dll
- 99,678 bytes » help.ico
- 2,535,424 bytes » psystem.exe
- 53,248 bytes » uninstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-
-
-
-
-
-
-
-
-
-